Configuring the Message Queue Client Runtime to Require Signed Certificates

You must now configure
the Message Queue client runtime to require signed certificates, and ensure that it trusts the certification authority that
signed the certificate.

To Configure the Client Runtime to Require Signed Certificates

Set
the connection factory's imqSSLIsHostTrusted attribute to false.

By default, the imqSSLIsHostTrusted attribute
of the connection factory object that the client will be using to establish
broker connections is set to true, meaning that the client
runtime will accept any certificate presented to it. You must change this
value to false so that the client runtime will attempt
to validate all certificates presented to it. Validation will fail if the
signer of the certificate is not in the client's trust store.

Verify whether
the signing authority is registered in the client's trust store.

To
test whether the client will accept certificates signed by your certification
authority, try
to establish an SSL connection,
as described above under Configuring and Running an SSL-Based Client.If
the CA is in the client's trust store, the connection will succeed and you can skip the next
step. If the connection fails with a certificate validation error, go on to the next step.

The client searches the key store files cacerts and jssecacerts by default, so no
further configuration is necessary if you install the certificate in either
of those files. The
following example installs a test root certificate from the Verisign
certification authority from a file named testrootca.cer into the default system certificate file, cacerts.The example assumes that J2SE is
installed in the directory $JAVA_HOME/usr/j2se:

A third
possibility is to install the root certificate into some other key store file
and configure the client to use that as its trust store.The following example installs into the file /home/smith/.keystore:

Since
the client does not search this key store by default, you must explicitly
provide its location to the client to use as a trust store. You do this by
setting the Java system property javax.net.ssl.trustStore once
the client is running: